similar to: Question about certificates on Samba AD/DC

Thanks Gabben and Andrew. I've understood but a new question emerged: Each DC server on my domain has a different pair cert/key and a different CA cert after deployment, correct? If so, is it a best practice to generate new cert for each DC server and sign them with a unique CA? OBS: Every DC servers belongs to the same domain. -- Igor Sousa Em dom., 14 de jun. de 2020 ?s 16:46, Andrew

I am getting myself confused, and need someone who fully understands this process to help me out a bot. I would like to obtain an ssl certificate, so I can run my own imap server on a machine in my office. My domain is hosted by networksolutions, but I don't run my imap server there. I am assuming I'll need to pay a CA to generate what I need, but I'm confused about what I

I am banging my head against the wall for recently built hosts that are unable to verify the server''s certs. The usual is not working. on the puppet agent machine: find /var/lib/puppet/ssl -type f -delete on puppet master: puppetca --clean <new_host_cert> on agent: puppetd --server puppet --waitforcert 2 --no-daemonize -d -o on puppet master: puppetca --sign

Good. I am going to focus on the IMAP configuration and worry about SMTP later. The following is the relevant documentation. This is very straightforward: https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/ My file 10-ssl.conf is untouched. However, this is the part that I would like to better understand: https://doc.dovecot.org/admin_manual/ssl/certificate_creation/ Before

Hi Igor, You certainly don?t want a different CA for each DC, and you typically do want an individually generated certificate and private key for each server. PKI is typically a tree hierarchy, which is a critical feature in the trust relationships across any environment. You want one (root) CA, and possibly 1-3 intermediate CAs depending on the complexity of your infrastructure ( intermediate

That would make a lot of sense. Andrew Bartlett On Sun, 2020-06-14 at 17:15 -0300, Igor Sousa wrote: > Thanks Gabben and Andrew. I've understood but a new question emerged: > Each DC server on my domain has a different pair cert/key and a > different CA cert after deployment, correct? > > If so, is it a best practice to generate new cert for each DC server > and sign them

Dear All This is my continuation of postfix setup. Following link http://campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServerfor postfix setup. At one stage it says, Configuring The Server Setup SSL Certificate Now generate an SSL certificate for postfix and dovecot to have TLS support. Replace mail.example.com with your server hostname. > genkey --days 3650

I'm setting up certbot/letsencrypt to provide a certificate for dovecot and sendmail. Is it necessary to restart dovecot to load the new certificate, as shown in most examples I find in blogs? That seems rude to established connections. When does dovecot read the cert and key files? Once at startup or each time a connection requests SSL? Is there a preferred locking protocol when changing

I have self certified Dovecot as so: ssl = required ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem userdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql } in order for end user to avoid webmail warnings or email client warnings, do I make this file /etc/pki/dovecot/certs/dovecot.pem available to users say under

Hi all, I've used Dovecot since February 2012, but because I kept reinstalling Linux with every major version, I never had a Dovecot self-signed certificate go bad on me before. Til now. I started using rolling release Void Linux about a year ago, and my Dovecot self-signed certificate just expired. The solution I used is contained in these documents:

Hello, Running latest Puppet 2.7rc4, Ruby 1.9.2 p180, slackware 13.37 64. Default (webrick) setup, no mongrel no apache. Running puppet master on the main puppet server works fine, no problem. Running puppet agent on the same machine works fine, no problem. Running puppet agent on a client server (separate machine) connecting to master gives the following error: "err: Could not request

Hi - I read up on this subject quite a bit, and was able to find a few posts on the mailing list, even found a wiki article. Unfortunately it doesn''t quite address what I''m looking to do. From what I understand, Puppet''s client/server authentication system - using SSL - is portable. I believe that I should be able to use the same SSL certificates and keys (and even

Hello, I found this Morning a Message in my Logs, that is new for me and I never seen this before? Is this a Error in the Certificate System?? The certificate for www.example.at has expired Datum: 08.07.17 06:31 Von: root <gjn+www at example.at> An: gjn+www at example.at ################# SSL Certificate Warning ################ Certificate for hostname 'www.example.at', in

Seems wrong to me too, Robert. If you put your private key inside your certificate, won't it be sent to the client along with it ? Bastian, are you using an old version of thunderbird ? googling for "SSL alert number 42" gave me two results indicating a bug in thunderbird versions 31,32 and 33. You can check these links if you wish : *

So this morning at 4am I was awoken to my mail clients getting certificate errors for an expired certificate. I hopped on to the server and checked and? no, the LE certs renewed last month and are valid until November. After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service dovecot restart which fixed everything. Should dovecot

I've installed LE certs on my Dovecot a while back, and, it has been working OK since, but, today, an iPhone user said he can't get emails as iphone says 'cert is expired', searching around, I see some other iPhone similar issues reported, do I have my conf correct, I have; # cat dovecot.conf | grep ssl ssl = required verbose_ssl = no ssl_cert =

Hi Daniel, thanks for the reply - The procedure I use is the same as I use for XenServer, and the certificate exchange works just fine. The only thing I'm a bit unclear on, is the location of the CA cert, which in the case of XenServer, I simply put it in /etc/pki/CA. And when I start the libvirtd daemon, it successfully picks it up. If I put the Server key and cert in /etc/vmware/ssl for

At 09:09 AM 4/18/2016, you wrote: >On Mon, 18 Apr 2016, david wrote: > >>FOLLOWUP & REPORT >> >>I had lots of suggestions, and the most persuasive was to try >>OpenVPN. I already had a CA working, so issuing certificates was >>easy. The HOW-TO guides were less helpful than I could hope, but >>comparing several of them, applying common sense, and

On Fri, Aug 31, 2018 at 05:30:53PM -0400, Robert Moskowitz wrote: > > Letsencrypt is a very important development, but it has (IMHO) a shaking > foundation.? I would not build a production system around it.? But then I > have lived in aspects of PKI since '95... I presume you meant "shaky foundation"? If so, would you care to elaborate? John -- Many people,

Hello! Certificates from letsencrypt are renewed every three months. Does that mean a MUA has to accept the renewed certificates manually everytime it is renewed? Sorry if this is OT! Greetings Andreas